Oracle Audit Vault Best Practices
30 Pages
English

Oracle Audit Vault Best Practices

-

Downloading requires you to have access to the YouScribe library
Learn all about the services we offer

Description

CPU Best Practices Nov 2007 Best Practices Introduction......................................................................................................................... 3 Installing Audit Vault ......................................................................................................... 3 Deployment Plan............................................................................................................. 4 Audit Vault Server ...................................................................................................... 4 Audit Vault Collection Agent ..................................................................................... 5 Which Collector(s) Should I Deploy?......................................................................... 6 Recommended Collector and Database Audit Configuration..................................... 8 Near Real-Time Alerts.................................................................................................... 9 ime Reporting.............................................................................................. 9 Recommendations on ETL process ............................................................................ 9 Oracle Database Auditing................................................................................................. 10 Audit Trail Contents and Locations........................................................... ...

Subjects

Informations

Published by
Reads 260
Language English
 
       Best Practices  Nov 2007
 Best Practices     Introduction......................................................................................................................... 3 Installing Audit Vault ......................................................................................................... 3 Deployment Plan............................................................................................................. 4 Audit Vault Server ...................................................................................................... 4 Audit Vault Collection Agent ..................................................................................... 5 Which Collector(s) Should I Deploy?......................................................................... 6 Recommended Collector and Database Audit Configuration..................................... 8 Near Real-Time Alerts .................................................................................................... 9 Near Real-Time Reporting.............................................................................................. 9 Recommendations on ETL process ............................................................................ 9 Oracle Database Auditing ................................................................................................. 10 Audit Trail Contents and Locations.............................................................................. 11 Recommended Database Audit Configuration ......................................................... 12 Audit Settings – Secure Configuration ......................................................................... 12 Recommended Database Audit Settings ................................................................... 12 Database Auditing Performance ............................................................................... 14 Auditing and the Audit Vault Collectors .................................................................. 14 Managing Audit Data on the Source................................................................................. 15 Removing Audit Data from the Database ................................................................. 15 Recommended Database Audit Cleanup Periods ..................................................... 16 Removing Audit Data from the Operating System................................................... 16 Oracle Audit Vault Maintenance ...................................................................................... 18 Audit Vault Server Log Files.................................................................................... 18 Audit Vault Collection Agent Log Files................................................................... 18 Oracle Audit Vault Disaster Recovery ..................................................................... 20 Recommended Recovery Configuration................................................................... 20 Appendix A. Audit Trail Maintenance Scripts ................................................................ 21 Appendix B. Database Source Audit Settings ................................................................. 28
Oracle Audit Vault Best Practices
 
Page 2 
 
Introduction Oracle Audit Vault automates the audit data consolidation and analysis process, turning audit data into a key security resource to help address today's security and compliance challenges. Oracle Audit Vault is built on Oracle’s industry leading database security and data warehousing products. This paper provides best practices for deploying Oracle Audit Vault in your enterprise. Information on deployment architectures and expected performance is included. In addition, this paper provides information on the auditing capabilities of the Oracle database and recommended best practices. Oracle Audit Vault supports consolidating audit data from Oracle9i Release 2 and higher databases. Oracle is currently working to support heterogeneous databases in a future release of Oracle Audit Vault.  Please note that this document will be updated on a regular basis to contain the latest information based on development and customer feedback. These best practices will be included in future releases of the Oracle Audit Vault documentation. Installing Audit Vault The architecture of Audit Vault consists of two major components that work in concert to store and secure the audit data. They are:  Audit Vault Serverata  a d–  A stand-alone skcata deilppitac tont hantconsai warehouse built on a customized installation of Oracle Database 10g (10.2.0.3) with Oracle Database Vault providing security and OC4J components to support an Audit Vault Console and Enterprise Manager’s Database Control. Audit Vault Collection Agent– The Collection Agent isresponsible for managing collectors and maintaining the Audit Vault wallet. -oCollectorsA collector is specific to an audit source and acts as the middleman between the source and the Audit Vault Server by pulling the audit trail data from the source and sending it to the Audit Vault Server over SQL*Net. oAudit Vault Wallet– The wallet is used to maintain the password for the collector to connect to the sources to pull audit data from the database.
  
Oracle Audit Vault Best Practices
 
 
Page 3 
Figure 1 Audit Vault Architecture 
 
 
Deployment Plan While Audit Vault provides consolidation and secure storage of audit data, planning the installation of the Audit Vault components will ensure a faster installation and overall success of implementing a compliant solution. The following sections discuss the pre-installation considerations for the Audit Vault Server and Audit Vault Collection Agents. Audit Vault Server The Audit Vault Server should be installed on its own host or a host that contains other repository databases such as Enterprise Manager Grid Control or the Oracle Recovery Manager (RMAN) repository database. By installing the Audit Vault Server separate from the source database servers provides the following benefits:  When the Audit VaultServer is on a separate server fromHigher Availability – the source databases then the availability will not be dependent on the source host’s up/down status and therefore the audit data continues to be collected from all sources that are running. Audit Trail – By extracting theaudit trail records off of the sourceSecured database as fast as possible, there is very little opportunity for privileged database and operating system users to modify any audit records.  When it comes to determining what type of resources are required to install and maintain the Audit Vault Server, it depends on the how fast you need the audit records to be inserted into Audit Vault and how long you must maintain audit data.  In internal testing on a 2x6GB 3GHz Intel Xeons, Redhat 3. 
Oracle Audit Vault Best Practices
Page 4 
 
2 Linux host, the Audit Vault Server inserted up to 17,000 audit records / second. To store 500,000 audit trail records in the Audit Vault repository database requires approximately 300mg of disk space. An additional 2G of disk space is needed for the ORACLE HOME files. _  For scalability and availability, the Audit Vault Server may optionally implement Real Applications Cluster (RAC) and Data Guard for disaster recovery.  Check the specific Audit Vault Server Installation Guide documentation of the platform that you will be installing for a list of the requirements of that operating system.  Audit Vault Collection Agent The Oracle database can write audit trail data into the database (SYS.AUD$/SYS.FGA_LOG$) and/or operating system files. The online log (redo log) of the Oracle database also contains information of before/after value changes of data as well. Audit Vault deploys a process called a Collector which is specific to the Oracle database audit trail to extract the audit data and send it to the Audit Vault Server. The three types of collectors are called DBAUD for database auditing, OSAUD for operating system files written by the Oracle database, and REDO to extract audit data from the redo stream.   The Audit Vault Collection Agent provides support for audit data collection. The agent loads the collectors, provides them with a connection to the Audit Vault Server to send audit data and run-time metrics on the collectors. Audit Vault communicates with the audit data source through its agent  The Audit Vault Collection Agent may be installed either on the same host as the database that is going to be audited, on the audit vault server hosts, or on a host separate from the audit vault server or the host where the database resides that will be audited.  Let’s look at each of these scenarios to determine the best location within your environment for the Audit Vault Collection Agent.  Same host of audited databases (Recommended)– If the database audit trail destination is the operating system, the Audit Vault Collection Agent must be installed on the same hosts as those operating system files.  
Oracle Audit Vault Best Practices
 
 
Page 5 
  Audit Vault Server host If the database audit traildestination is the database– tables (SYS.AUD$/SYS.FGA_LOG$) then the Audit Vault Collection Agent may be installed on the Audit Vault Server host. This would mean that all software components used by Audit Vault would be consolidated on a single host.  
  Separate from audit host and Audit Vault Server – If the database audit trail destination is the database tables, (SYS.AUD$/SYS.FGA LOG$) then the Audit _ Vault Collection Agent may be installed on a different host from the audited database or Audit Vault Server.  
  Recommended Agent Configuration Oracle recommends that the Audit Vault Collection Agent be installed on the same server as the databases being audited. In the case of RAC the agent should be installed on each instance. This configuration will allow the agent to service audit data from either the database tables (SYS.AUD$/SYS.FGA_LOG$) or the operating system files.  Which Collector(s) Should I Deploy? Audit Vault collectors transport audit data from the source to the Audit Vault Server. The collectors are controlled by the Audit Vault Collection Agents described in the previous section. Oracle Audit Vault Collection Agent may deploy three different Audit Vault collectors depending on where the audit data is written - database tables or operating system. Note that Oracle stores some valuable audit related information in the REDO logs. As a result, Oracle Audit Vault provides a REDO Collector to retrieve the information. Table 1 below lists the characteristics of the audit trail locations to help
Oracle Audit Vault Best Practices
Page 6 
you determine where to write the audit trail and which collector(s) should be deployed to move the audit data into Audit Vault.  
    SELECT9 9 DML 99 9       DDL9 9 9       VBealfuorees  and After 9       Success and Failure9 9 SQL Text9for SYS9      SYS Auditing9 9 siderations Separation of Supplemental Other conDuties FGA data lollg gvianlug efso r a Table 1 Audit Trail Characteristics  The three collector types are called DBAUD, OSAUD, and REDO. Each collector type retrieves audit records from different locations in the source Oracle database as shown below in Table 2.  
Oracle Audit Vault Best Practices
 
 
Page 7 
Table 2 Audit Vault Collector Types
  Depending on the type of audit information generated and required to maintain, you may deploy one or all three of the collectors for each source database.  
Recommended Collector and Database Audit Configuration Oracle recommends using the operating system as your as your primary audit trail location and deploying the OSAUD collector as the operating system has the least amount of performance overhead on the database. Please refer to the Oracle Database Auditing section within this document for information on configuring the database to write audit information to the operating system.  
Oracle Audit Vault Best Practices
 
 
Page 8 
 
Near Real-Time Alerts Security alerts can be used for proactive notification of compliance, privacy, and insider threat issues across the enterprise. Oracle Audit Vault provides IT security personnel with the ability to detect and alert on suspicious activity, attempts to gain unauthorized access, and abuse of system privileges.  Oracle Audit Vault can generate alerts on specific system or user defined events, acting as an early warning system against insider threats and helping detect changes to baseline configurations or activity that could potentially violate compliance. Oracle Audit Vault continuously monitors the audit data collected, evaluating the activities against defined alert conditions.  Alerts are generated when data in a single audit record matches a custom defined alert rule condition. For example, a rule condition may be defined to raise alerts whenever a privileged user attempts to grant someone access to sensitive data.  In Oracle’s in-house testing of the Audit Vault Server, it was possible to achieve a throughput of 17,000 insertions of audit trail records per second using a 2x6GB 3GHz Intel Xeons, Redhat 3. 2 Linux x86 system. To achieve near real-time alerting capability, the host should be sized to meet your business requirements.  Near Real-Time Reporting After audit data is transferred from the source to the Audit Vault, an Oracle _ job runs an ETL ( ract, transformation, load) process to DBMS SCHEDULER ext normalize the raw audit data into the data warehouse. In Oracle’s in-house testing, the ETL job was able to process 500,000 records in a little over 50 seconds on a 2x6GB 3GHz Intel Xeons, Redhat 3. 2 Linux x86 system. Out of the box, the default DBMS_SCHEDULER job runs every 24 hours.  Audit Vault provides statistics of the ETL process to update the warehouse as shown below in Figure 3. By utilizing this information, you can estimate how often the job may be run to update the data warehouse infrastructure. The data warehouse infrastructure is documented in the Oracle Audit Vault Auditor’s Guide. Recommendations on ETL process The ETL process may be run more often to provide near real-time reporting. Oracle recommends that the previous ETL job be completed before initiating the next ETL job.    
Oracle Audit Vault Best Practices
Page 9 
Figure 2 Audit Vault Warehouse Load Results
 The Oracle Audit Vault has been developed on a flexible data warehouse infrastructure that provides the ability to consolidate audit data so that it can be easily secured, managed, accessed, and analyzed. In addition to the out-of-the-box reports provided by Oracle Audit Vault, Audit Vault provides an open audit warehouse schema that can be accessed from Oracle BI Publisher, Oracle Application Express, or any 3rd party reporting tools for customized security and compliance reporting. Oracle Database Auditing Oracle has provided robust auditing capabilities since the release of Oracle7 in the early 1990’s. Oracle database auditing can be highly customized to address specific compliance and privacy requirements.  Audit records include information about the operation that was audited, the user performing the operation, and the date and time of the operation. Audit records can be stored in the database audit trail or in files on the operating system. There are two types of general auditing: standard and fine-grained. Standard auditing includes operations on privileges, schemas, objects, and statements. Fine-grained auditing is policy based and operates and is enforced on select operations in Oracle9i. Fine-grained auditing was enhanced in Oracle Database 10g to enforce policy based auditing on insert, update and delete operations.
Oracle Audit Vault Best Practices
 
 
Page 10 
Audit Trail Contents and Locations Audit trail records can contain different types of information, depending on the events audited and the auditing options set.  Some of that information includes: Operating system login user name (CLIENT USER) Database user name (DATABASE USER) Session identifier Terminal identifier Name of the schema object accessed Operation performed or attempted (ACTION) Date and time stamp in UTC (Coordinated Universal Time) format  System privileges used (PRIVILEGE)  Proxy Session audit ID Global User unique ID Instance number Process number Transaction ID SCN (system change number) for the SQL statement SQL text that triggered the auditing (SQLTEXT) Bind values used for the SQL statement, if any (SQLBIND)  Audit Vault extracts auditdata from either the database tables or the operating system files. To enable database auditing, the initialization parameter, AUDIT_TRAIL, should be set to one of these values:  
 
Oracle Audit Vault Best Practices
 
 
Page 11